In continuation to the previous blog.
The cracked hashed passwords were being reused to log on to different web-services by some of the HBGary employess i.e. some of the top management and from this point onwards, it was just a matter of coincidences that Anonymous was able to lay their hands on a server which was not patched for a particular vulnerability and ultimately gain root access.
Coupled with this one of cracked password belonged to the mail administrator (none other than Aaron Barr), which made life more easy for Anonymous to initiate a Social Engineering Attack.
To launch a Social Engineering one needs to find the target and throw at this target some precise information which cannot be overruled and pray and hope the bait is accepted without any questions asked.
For this attack to be successful, Anonymous, had found out the root passwords for rootkit.com in one of the emails and also pin-pointed the administrator of the firewall and the server. It was just a matter of time before everything was handed over to them and rootkit.com was compromised.
According to Anonymous, when chatting with Greg on their IRC channel, they said:
[04:18] <&Sabu> greg, a 16 year old girl social engineered your admin jussi and got root to rootkit.com
Social Engineering Attacks come in many shapes and sizes but leave a very unique trail, which no Software or a Security Adviser will ever teach you. To understand this point, one should read the mail transcripts which is available here.
After reading these transcripts, one will realize that greg’s emails were indeed written by a 16 or a 17 yr old, who is addicted to texting. But at the same time, jussi’s conversations seem to be genuinely coming from jussi’s own free will. How? well, the language used in the mail, tells it all.
Human mind, is capable of recognizing such anomalous patterns, which no other software application can ever emulate and over looking all the senses of sensibility is the biggest mistake one can ever make. Opening up ssh port for all IPs is a 100% no, especially when you have disabled shh access. No matter how busy a person is, getting to know the public IP and providing it to your admin doesn’t take much time.
Watching IRC conversations / reading email conversations, reveal into a lot of personal traits, the mental makeup of a person and a lot of other factors, some call it profiling. Interesting subject.
This Social Engineering Attack on HBGary, has again proved that IT Security and Organizational Hierarchy should never be mixed, but sadly, this happens everywhere.
Next: Infiltration Methodology using Social Media.